SOAP Basic HTTP authentication with a policy in CTP

Add the following in the services.xml of your AAR service archive:

        <module ref="rampart"/>
        <parameter name="sin.jaas.transport.login.context">Default</parameter>
        <wsp:Policy wsu:Id="BasicAuthPolicy" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
          xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
          <wsp:ExactlyOne>
                <wsp:All>
                    <sp:TransportBinding xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
                        <wsp:Policy>
                            <sp:TransportToken>
                                <wsp:Policy>
                                    <sp:HttpsToken>
                                        <wsp:Policy>
                                            <sp:HttpBasicAuthentication/>
                                        </wsp:Policy>
                                    </sp:HttpsToken>
                                </wsp:Policy>
                            </sp:TransportToken>
                            <sp:AlgorithmSuite>
                                <wsp:Policy>
                                    <sp:Basic256/>
                                </wsp:Policy>
                            </sp:AlgorithmSuite>
                            <sp:Layout>
                                <wsp:Policy>
                                    <sp:Lax/>
                                </wsp:Policy>
                            </sp:Layout>
                            <sp:IncludeTimestamp/>
                        </wsp:Policy>
                    </sp:TransportBinding>
                    <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
                      <ramp:policyValidatorCbClass>com.softwareag.wsstack.jaas.callback.MultiLoginPolicyValidatorCallback</ramp:policyValidatorCbClass>
                    </ramp:RampartConfig>
                </wsp:All>
            </wsp:ExactlyOne>
        </wsp:Policy>
  • The communication must happen over HTTPS per the SOAP WS-Security specification
  • As this is by the WS-Security specification the request to this service should contain a SOAP security header with a timestamp. In SOAP UI - WS-Security (WSS) for API Testing | SoapUI (Timestamp)
  • The MultiLoginPolicyValidatorCallback class makes the connection between the Web Services Stack and the Software AG Security Infrastructure
  • The “sin.jaas.transport.login.context” points to a JAAS login context defined in /profiles/CTP/configuration/jaas.config. In this example we have default one which works with the Software AG internal user store (common/conf/users.xml, common/conf/groups.xml, common/conf/roles.xml). New users can be added by using Reverb , role and group assignment happens by manual edit of the corresponding files.